6 Tips to Segment a Network to Better Protect Your System

Protecting your valuable cardholder information is most likely quite high on your list of priorities, and it is more important than ever to fortify your computing system to thwart cyber-attackers who are relentlessly on a mission for malfeasance.

The Payment Card Industry (PCI) Security Standards Council has devised an important way for you to construct a strong barrier to invasion via network segmentation.

A Quick Review on the Basics of Network Segmentation

Network segmentation is an increasingly common practice in computer networking and is the process of splitting a computer network into a series of sub-networks. Sometimes referred to as “zoning,” network segmentation helps you avoid setting yourself up for maximum vulnerability when you rely on a monolithic target.

Once any unauthorized access occurs, network segmentation offers a greater chance of providing effective controls to minimize the potential threat in the next step of a network intrusion. More importantly, zoning your networks obstructs the cyber-attacker’s movements, prohibiting migration across the network and the escalation of exposure and risk.

In essence, network segmentation allows you to minimize the access level to sensitive information of any kind for applications under the segmented zones. Basically, you are barring entry to applications, serves and persons who have no reason to access sensitive information while in no way hindering those who do need to access it.

Why Are More and More IT Leaders Choosing to Segment Networks?

IT leaders are increasingly moving away from solely focusing on protecting the entire network perimeter as a single unit in an effort to fend off cyber-attackers because they are simply finding that it is not effective enough at keeping hackers at bay.

Industry professionals have realized that a flat and open network is relatively easy prey for hackers who, over the years, have discovered and devised a high-level combination of techniques to avoid detection, allowing them to wreak havoc for long blocks of time in an open network.

Following are just a few of the top benefits that IT experts cite for launching a network segmentation project:

• Minimizes PCI scope, resulting in saving time, money and human resource effort.
• Reduces congestion and improves performance since there are fewer hosts per each subnetwork, therefore limiting traffic.
• Provides a containment effect with network issues, limiting the effect of local failures on other segments of the network.
• Offers enhanced and improved security via the containment of broadcasts to a local network where the internal network structure is not discernible from the outside.

If you decide to segment your network, keep in mind just a few of the parties who stand to benefit from your diligence:

• Consumers who entrust their data to you.
• Merchants, service providers, issuers and any other parties that adhere to PCI Data security Standard requirements.
• PCI forensic investigators who research issues that arise.
• Quality assurance assessors.

6 Tips to Use When Segmenting a Network

Once you have decided that the benefits of segmenting your network far outweigh the initial investment, you may wonder how to get started.

We have come up with six tips that we believe will help:

1. Become Familiar with Key Terminology

First, take a moment to familiarize yourself and your team with some basic and commonly used terminology in network segmentation:

• In Scope. Any system directly involved with, connected to, or that may impact the security of your cardholder data.
• Connected-to. Any system that connects to the cardholder data environment (CDE), as well as those that are indirectly related to handling cardholder data.
• Out of Scope. Any system that has no access to CDE.

2. Assign One Person or Small Group to Tracking Cardholder Data Flows

Any good project starts with a rock-solid team, and your network segmentation mission is no different.

Assign one person, or a small group of staff members, who is responsible for learning all the places where cardholder data flows throughout the network. By placing this responsibility in the hands of one person, ideally, he or she can track this information more easily and consistently. This one person becomes the expert on the overall flow of cardholder data, as well as where and how it is used and stored, therefore reducing the scope of the CDE.

3. Interview Everyone on Your Team

The importance of open and frequent dialog cannot be overstated when it comes to understanding the flow of cardholder data. Interview employees since they likely know a great deal about seemingly random processes involving data since they work with it regularly. Key personnel to interview include process owners, anyone with access to data, web developers and your sales team.

Interviews give you insights into what a sales team member, for instance, does with a customer’s cardholder data upon completion of a transaction. Does he or she send it to accounting only? Maybe customer service is in the mix. Performing these key interviews gives you invaluable insights to your valuable information’s various pathways.

The more you understand about where cardholder data is and how it is used, the better you can properly segment it.

4. Develop a Data Flow Map of Cardholder Data

Based on the information that you gather through employee interviews and your independent research, create a visual representation of the flow of cardholder data.

5. Determine How You Want to Segment Your Network

Armed with a better understanding of your cardholder data flows, you are ready to determine the best way to segment your network.

The most common strategy used is via a firewall, which involves situating a piece of dedicated hardware between each network zone to limit network traffic. When choosing the firewall option, it is important that you configure your Access Control List (ACL) to define precisely what traffic is allowed to pass through the sections.

While firewall implementation is a common strategy to segmenting a network, it is certainly not the only one. Consider a few other options available to you:

Switches.

After a firewall, the switch approach to network segmentation is most common. IT teams often use switches internally, behind a firewall when segmenting network zones. However, it is possible for some switches to have their own set of independent ACLs. These are somewhat more difficult to manage than firewalls, but they are worth exploring if you have an ace on your IT team who is up for the task.

Air Gap.

With an air gap, segmentation begins with two network connections distributed through two distinct internet providers. With the right connections, this method can adequately separate your CDE.

Analog Phone Lines.

It may seem like a strange consideration to take anything offline these days, but that is precisely what this approach requires. With this method of segmenting a network, you will need to take your credit card processing offline, but the results are actually fairly foolproof. Using an analog phone line is simple because no internet connection instantly means no network intrusions.

Virtual LAN.

A virtual Local Area Network (vLAN) is any broadcast domain that features partitioning and isolation within a computer network and can be implemented and configured through software or network design and deployment.

Point-to-Point Encryption.

Point-to-Point Encryption (P2PE) is another common means of segmenting. In reality, it actually eliminates the need for segmentation altogether when using a validated P2PE client solution.

6. Get the Go-Ahead from Your Qualified Security Assessor

Ultimately, your Qualified Security Assessor (QSA) must verify that your segmentation approach and results are adequate to reduce your PCI scope. It also helps to bolster your confidence in your approach and results in network segmentation, especially if you are new to the process.

Your QSA has the experience and insights to detect any issues that might include network configuration, the controls you use to secure data and open ports between zones. He or she can verify your network segmentation during your next PCI audit.

Are You Ready to Implement a Network Segmentation Strategy?

Business leaders everywhere are looking for ways to protect valuable cardholder data, and they are finding that network segmentation is highly effective. Our QSAs and PCI auditors at I.S. Partners, LLC. are here to help you implement the right strategy for your business, employees, customers and any other third parties involved.
Call us at 215-631-3452, send us a message or start a chat session today!

About The Author

Mike Mariano

Michael is the Chief Information Security Officer at IS Partners as well as the leader of the penetration testing practice for AWA International. Michael has 15+ years’ experience in internal IT operations with 7 years of being involved in various levels of IT auditing with experience with PCI DSS, SOC 2, HITRUST CSF, Risk Assessments and experience working with Security Frameworks (such as ISO and NIST). Michael has worked with/at companies from 10 to 50,000 employees in size. Prior to joining IS Partners, Michael worked as the IT Operations Manager at AVASEK an MSP IS Security firm where he managed a team of six technicians to service 1500 client endpoints as well as the firm's Cloud Hosting Solution. while at AVASEK, Michael also performed gap assessments against HIPPA and NIST Security Frameworks and was a member of the incident response team. Michael’s specialties are IT Security and IT Management. He is experienced in performing security Risk Assessments, enforcing security policies, handling confidential information, deploying and administering network and application security systems, administrating SaaS products, Active Directory (AD), firewalls, routers, and VPN. Michael is HITRUST CCSFP and AWS CP Certified and has maintained various CompTIA Certifications over his career. He is currently working to achieve his GIAC GWAP and OSCP Certification in 2020.